TrustArc Blog

The Legacy of the Cookie Directive

December 20, 2012

Saira Nayak
Director of Policy, TRUSTe
@sairanayak

Photo Source

According to the UK ICO’s latest report into cookie compliance they have received only 550 complaints, compared with 53,000 about unwanted marketing communications. TRUSTe’s analysis of the impact of the directive revealed that the majority of users were choosing to accept advertising cookies.

So, after a year of intense discussion and compliance headaches for EU companies, what will be the lasting legacy of this legislation?

I recently asked David Smith, the Deputy Commissioner at the ICO that very question. He responded:

One of the legacies [for the EU Cookie Directive] is actually for businesses to begin to think before they adopt new technologies, or other new developments, and make sure they’re privacy friendly.
Because actually if you turn the clock back to long before the Directive, leaving cookies on someone’s property without consent or even notice appears quite wrong. You’re putting some piece of text on my system, my device, which identifies me to you. And you’re doing it without even telling me, let alone getting my consent. That doesn’t feel right even though it had become common practice. So, the idea that you should have consent for cookies is actually correct. It’s just a challenge trying to sort of retrofit and rectify the status quo.”

But, before EU businesses think that they have ticked “privacy compliance” off the list simply by adding a pop-up banner on their website, it is worth looking at the storm of protest currently engulfing Instagram.

Instagram recently posted changes to its terms of service and privacy policy, which resulted in a social media uproar as users feared that the wording gave Instagram the option to use images on the site without permission or payment. Instagram responded with a blog post saying “To be clear: it is not our intention to sell your photos. We are working on updated language in the terms to make sure this is clear.” However, if the discussion on Twitter and other social channels is true, many users will have left the service before the new policy comes into effect on January 16.

Today, Instagram responded to its customers and the recent media storm by taking back the proposed policy changes and offered them an apology.

The conclusion is clear yet again – get privacy wrong and there can be significant business consequences. Recent EU research affirmed that consumer privacy concerns are high. Across France, Germany, Great Britain and The Netherlands 68% of consumers expected companies to comply with the EU Cookie Directive and 41% planned to only visit websites that do.

Collecting and using customer data is key to powering the growth and innovation in both the web and mobile economies.  However, businesses need to be aware of the inherent risks of handling this valuable information. Proper procedures need to be put in place to ensure your data management practices are compliant with the relevant regulations  and to foster trust with your customers. By using best practices to protect your customers’ privacy,  you can ensure that they will visit your site, click on your ads, download your application and share their information.

David Smith’s summed this up in his final words on the legacy of the Cookie Directive:

I think this is the lesson: if you don’t do things in a privacy-friendly way, look at what the consequences are.”

As 2012 comes to a close and we look ahead to 2013, businesses need to remember that a comprehensive data privacy management strategy is critical when using customer data to power their business.  Hopefully this message is heard loud and clear and will be a top priority and resolution for 2013.